Switch to using generated certificates for server mode.

author: Ermal Luçi <eri@pfsense.org> 2008-03-06 17:33:32 +0000
committer: Ermal Luçi <eri@pfsense.org> 2008-03-06 17:33:32 +0000
commit: 267ab13f685d0435d7867705e60409a7081e06df (patch)
tree: 65eb5361c9a52686ce35f5081811f07d5041925e /usr
parent: bc1fd2b7de2d3e17c0ce0cdf11b090d1c937343a (diff)
download: pfsense-267ab13f685d0435d7867705e60409a7081e06df.zip
pfsense-267ab13f685d0435d7867705e60409a7081e06df.tar.gz
4 files changed, 104 insertions, 109 deletions
diff --git a/usr/local/pkg/openvpn.xml b/usr/local/pkg/openvpn.xml
index 665bcf1..8b0cbd3 100644
--- a/usr/local/pkg/openvpn.xml
+++ b/usr/local/pkg/openvpn.xml
@@ -157,68 +157,17 @@
 			<onchange>onAuthMethodChanged()</onchange>
 		</field>
 		<field>
-			<fieldname>shared_key</fieldname>
-			<fielddescr>Shared key</fielddescr>
-			<description>Paste your shared key here.</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
-		<field>
-			<fieldname>ca_cert</fieldname>
-			<fielddescr>CA certificate</fielddescr>
-			<description>Paste your CA certificate in X.509 format here.</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
-		<field>
-			<fieldname>server_cert</fieldname>
-			<fielddescr>Server certificate</fielddescr>
-			<description>Paste your server certificate in X.509 format here.</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
-		<field>
-			<fieldname>server_key</fieldname>
-			<fielddescr>Server key</fielddescr>
-			<description>Paste your server key in RSA format here.</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
-		<field>
-			<fieldname>dh_params</fieldname>
-			<fielddescr>DH parameters</fielddescr>
-			<description>Paste your Diffie Hellman parameters in PEM format here.</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
-		<field>
-			<fieldname>crl</fieldname>
-			<fielddescr>CRL</fielddescr>
-			<description>Paste your certificate revocation list (CRL) in PEM format here (optional).</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
-		<field>
-			<fieldname>tls</fieldname>
-			<fielddescr>TLS</fielddescr>
-			<description>Paste your HMAC signature (TLS) here (optional).</description>
-			<type>textarea</type>
-			<encoding>base64</encoding>
-			<rows>8</rows>
-			<cols>40</cols>
-		</field>
+                        <fieldname>cipher</fieldname>
+                        <fielddescr>Certificates to apply<fielddescr>
+                        <description>Certificates generated from the certificate generation tab.</description>
+                        <type>select</type>
+                        <options>
+                                <option>
+                                        <value>none</value>
+                                        <name>none</name>
+                                </option>
+                        </options>
+                </field>
 		<field>
 			<fieldname>dhcp_domainname</fieldname>
 			<fielddescr>DHCP-Opt.: DNS-Domainname</fielddescr>
diff --git a/usr/local/pkg/openvpn_cli.xml b/usr/local/pkg/openvpn_cli.xml
index d942403..129b86f 100644
--- a/usr/local/pkg/openvpn_cli.xml
+++ b/usr/local/pkg/openvpn_cli.xml
@@ -146,7 +146,7 @@
 			<cols>40</cols>
 		</field>
 		<field>
-			<fieldname>ca_cert</fieldname>
+			<fieldname>ca.crt</fieldname>
 			<fielddescr>CA certificate</fielddescr>
 			<description>Paste the server's CA certificate in X.509 format here.</description>
 			<type>textarea</type>
@@ -155,7 +155,7 @@
 			<cols>40</cols>
 		</field>
 		<field>
-			<fieldname>client_cert</fieldname>
+			<fieldname>client.crt</fieldname>
 			<fielddescr>Client certificate</fielddescr>
 			<description>Paste your client certificate in X.509 format here.</description>
 			<type>textarea</type>
@@ -164,7 +164,7 @@
 			<cols>40</cols>
 		</field>
 		<field>
-			<fieldname>client_key</fieldname>
+			<fieldname>client.key</fieldname>
 			<fielddescr>Client key</fielddescr>
 			<description>Paste your client key in RSA format here.</description>
 			<type>textarea</type>
diff --git a/usr/local/www/vpn_openvpn_certs.php b/usr/local/www/vpn_openvpn_certs.php
index dd4b943..bcf170b 100644
--- a/usr/local/www/vpn_openvpn_certs.php
+++ b/usr/local/www/vpn_openvpn_certs.php
@@ -30,7 +30,7 @@
 
 require("guiconfig.inc");
 
-//$pgtitle = array("OpenVPN", "Certificate management");
+$pgtitle = array("OpenVPN", "Certificate management");
 $ovpncapath = $g['varetc_path']."/openvpn/certificates";
 
 if ($_GET['reset']) {
@@ -51,6 +51,29 @@ if ($_GET['delete']) {
 			write_config();
 		}
 	}
+	/* XXX: Lets do some hacking now! This implies we are not on embedded platform!!! */
+	$pkg_config = parse_xml_config_pkg("/usr/local/pkg/openvpn.xml", "packagegui");
+			$options =& $pkg_config['fields']['field'][11]['options']['option'];
+			if (is_array($options)) {
+				for ($i = 0; $i < count($options); $i++) {
+					if ($options[$i]['name'] == $caname) {
+						unset($options[$i]);
+						break;
+					}
+				}
+
+				conf_mount_rw();
+	
+				$xmlcf = dump_xml_config_pkg($pkg_config, "packagegui");
+		    	/* write new configuration */
+    		    $fd = fopen("/usr/local/pkg/openvpn.xml", "w");
+	        	if (!$fd)
+	        	        die("Unable to open openvpn.xml for writing in write_config()\n");
+    		    fwrite($fd, $xmlcf);
+	    	    fclose($fd);
+		
+				conf_mount_ro();
+			}
 }
 
 exec("cd ".$g['varetc_path']."/openvpn/certificates && /usr/bin/find . -type d -name \"[a-zA-Z0-9_]*\"", $certificates);
@@ -91,8 +114,10 @@ include("head.inc");
 					<td><a href="vpn_openvpn_certs.php?delete=<?=$cert;?>"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" title="<?=gettext("delete certificate");?>" width="17" height="17" border="0" alt="" /></a></td>
                     </tr>
  	<?php } ?>
-				<tr><td><a href="vpn_openvpn_certs_create.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new certificate");?> width="17" height="17" border="0" alt="" /></a></td></tr>
+				<tr><td><a href="vpn_openvpn_create_certs.php"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" title="<?=gettext("add a new certificate");?> width="17" height="17" border="0" alt="" /></a></td></tr>
 	</table>
     <?php include("fend.inc"); ?>
 </body>
 </html>
+
+
diff --git a/usr/local/www/vpn_openvpn_certs_create.php b/usr/local/www/vpn_openvpn_certs_create.php
index e1cb298..676810f 100644
--- a/usr/local/www/vpn_openvpn_certs_create.php
+++ b/usr/local/www/vpn_openvpn_certs_create.php
@@ -1,6 +1,7 @@
 <?php
+/* $Id$ */
 /*
-	vpn_openvpn_certs_create.php
+	vpn_openvpn_create_certs.php
 	part of pfSense
 
 	Copyright (C) 2004 Scott Ullrich
@@ -30,39 +31,24 @@
 
 require("guiconfig.inc");
 
-//$pgtitle = array("VPN", "OpenVPN Create Certs");
+$pgtitle = array("VPN", "OpenVPN Create Certs");
 $ovpncapath = $g['varetc_path']."/openvpn/certificates";
-/* XXX: hardcoded path */
+/* XXX: hardcoded path; worth making it a global?! */
 $easyrsapath = "/usr/local/share/openvpn/certificates";
 
 if ($_GET['ca']) {
-	//$openssl = file_get_contents("$ovpncapath/".trim($_GET['ca'])."/vars");
-    $openssl = "";
-    if(file_exists("$ovpncapath/".trim($_GET['ca'])."/vars")) {
-		$fd = fopen("$ovpncapath/".trim($_GET['ca'])."/vars", "r");
-		$tmp = fread($fd,8096);
-		$openssl .= $tmp;
-		fclose($fd);
-    
-	preg_match('/\nsetenv KEY_EXPIRE(.*)\n/', $openssl, $cakeyexpireA);
-	preg_match('/\nsetenv CA_EXPIRE(.*)\n/', $openssl, $caexpireA);
-	preg_match('/\nsetenv KEY_SIZE(.*)\n/', $openssl, $cakeysize);
-	preg_match('/\nsetenv KEY_COUNTRY(.*)\n/', $openssl, $countrycodeA);
-	preg_match('/\nsetenv KEY_SIZE(.*)\n/', $openssl, $cakeysize);
-	preg_match('/\nsetenv KEY_PROVINCE(.*)\n/', $openssl, $stateorprovinceA);
-	preg_match('/\nsetenv KEY_CITY(.*)\n/', $openssl, $citynameA);
-	preg_match('/\nsetenv KEY_ORG(.*)\n/', $openssl, $orginizationnameA);
-	preg_match('/\nsetenv KEY_EMAIL(.*)\n/', $openssl, $emailA);
-
-	$caname = trim($_GET['ca']);
-	$cakeysize = trim($cakeysizeA[1]);
-	$caexpire = trim($caexpireA[1]);
-	$cakeyexpire = trim($cakeyexpire[1]);
-    $countrycode=trim($countrycodeA[1]);
-    $stateorprovince=trim($stateorprovinceA[1]);
-    $cityname=trim($citynameA[1]);
-    $orginizationname=trim($orginizationnameA[1]);
-    $email = trim($emailA[1]);
+	if ($config['openvpn']['keys'][$_GET['ca']]) {
+		$data = $config['openvpn']['keys'][$_GET['ca']];
+		$caname = trim($_GET['ca']);
+		$cakeysize = $data['keysize'];
+		$caexpire = $data['caexpire'];
+		$cakeyexpire = $data['keyexpire'];
+   		$countrycode= $data['keycountry'];
+   	 	$stateorprovince= $data['keyprovince'];
+    	$cityname= $data['keyclient'];
+    	$orginizationname= $data['keyorg'];
+    	$email = $data['keyemail'];
+		$caclients = $data['caclients'];
 	} else
 		$input_errors[] = "Certificate does not exist.";
 }
@@ -129,19 +115,21 @@ if ($_POST) {
 	fwrite($fd, "$easyrsapath/pkitool --batch --server server \n");
 	fwrite($fd, "echo \"Creating DH Parms...\" \n"); 
 	fwrite($fd, "openssl dhparam -out $ovpncapath/$caname/dh_params.dh  $cakeysize \n");
-	fwrite($fd, "echo \"Creating Client Certificates...\" \n"); 
-	/* NOTE: i know that shel can do this too but i just do not care! */
-	$cmdclients = "";
-	for ($i = 0; $i < intval($caclients); $i++) {
-		$cmdclients .= "echo \"Creating client$i certificate...\" \n";
-		$cmdclients .= "$ovpncapath/pkitool --batch client$i \n";
+	if ($caclients && intval($caclients) > 0) {
+		fwrite($fd, "echo \"Creating Client Certificates...\" \n"); 
+		/* NOTE: i know that shel can do this too but i just do not care! */
+		$cmdclients = "";
+		for ($i = 0; $i < intval($caclients); $i++) {
+			$cmdclients .= "echo \"Creating client$i certificate...\" \n";
+			$cmdclients .= "$ovpncapath/pkitool --batch client$i \n";
+		}
+		fwrite($fd, "$cmdclients \n");
+		fwrite($fd, "cd $ovpncapath/$caname \n");
+		fwrite($fd, "tar czvf client_certificates.tar.gz $ovpncapath/$caname/ca.crt $ovpncapath/$caname/shared.key $ovpncapath/$caname/client* \n");
+		fwrite($fd, "echo \"Removing client certificates...\" \n");
+		fwrite($fd, "rm $ovpncapath/$caname/client* \n");
+		fwrite($fd, "cp $ovpncapath/client_certificates.tar.gz $ovpncapath/$caname/ \n");
 	}
-	fwrite($fd, "$cmdclients \n");
-	fwrite($fd, "cd $ovpncapath/$caname \n");
-	fwrite($fd, "tar czvf $ovpncapath/$caname/client_certificates.tar.gz $ovpncapath/$caname/ca.crt $ovpncapath/$caname/shared.key $ovpncapath/$caname/client* \n");
-	fwrite($fd, "echo \"Removing client certificates...\" \n");
-	fwrite($fd, "rm $ovpncapath/$caname/client* \n");
-	fwrite($fd, "cp $ovpncapath/client_certificates.tar.gz $ovpncapath/$caname/ \n");
 	fwrite($fd, "echo \"Done!\" \n");
 	fclose($fd);
 }
@@ -183,13 +171,46 @@ if ($_POST) {
 	$ovpnkeys =& $config['openvpn']['keys'];
 	if (!is_array($ovpnkeys[$caname]))
 		$ovpnkeys[$caname] = array();
+	/* vars */
+	$ovpnkeys[$caname]['KEYSIZE'] = $cakeysize;
+	$ovpnkeys[$caname]['KEYEXPIRE'] = $cakeyexpire;
+	$ovpnkeys[$caname]['CAEXPIRE'] = $caexpire;
+	$ovpnkeys[$caname]['KEYCOUNTRY'] = $countrycode;
+	$ovpnkeys[$caname]['KEYPROVINCE'] = $stateorprovince;
+	$ovpnkeys[$caname]['KEYCITY'] = $cityname;
+	$ovpnkeys[$caname]['KEYORG'] = $orginizationname;
+	$ovpnkeys[$caname]['KEYEMAIL'] = $email;
+	$ovpnkeys[$caname]['caclients'] = intval($caclients);
+	/* ciphers */
 	$ovpnkeys[$caname]['ca.key'] = file_get_contents("$ovpncapath/$caname/ca.key");
 	$ovpnkeys[$caname]['ca.crt'] = file_get_contents("$ovpncapath/$caname/ca.crt");
 	$ovpnkeys[$caname]['shared.key'] = file_get_contents("$ovpncapath/$caname/shared.key");
 	$ovpnkeys[$caname]['server.key'] = file_get_contents("$ovpncapath/$caname/server.key");
 	$ovpnkeys[$caname]['server.crt'] = file_get_contents("$ovpncapath/$caname/server.crt");
 	$ovpnkeys[$caname]['dh_params.dh'] = file_get_contents("$ovpncapath/$caname/dh_params.dh");
+	/* save it */
 	write_config();
+	/* XXX: Lets do some hacking now! This implies we are not on embedded platform!!! */
+	$pkg_config = parse_xml_config_pkg("/usr/local/pkg/openvpn.xml", "packagegui");
+			$options =& $pkg_config['fields']['field'][11]['options']['option'];
+			if (!is_array($options)) 
+				$options = array();
+			$opt = array();
+			$opt['name'] = $caname;
+			$opt['value'] = $caname;
+			$options[] = $opt;
+
+			conf_mount_rw();
+	
+			$xmlcf = dump_xml_config_pkg($pkg_config, "packagegui");
+	    	/* write new configuration */
+    	    $fd = fopen("/usr/local/pkg/openvpn.xml", "w");
+	        if (!$fd)
+        	        die("Unable to open openvpn.xml for writing in write_config()\n");
+    	    fwrite($fd, $xmlcf);
+	        fclose($fd);
+	
+			conf_mount_ro();
 } else { ?>
 	  				<tr>
                       <td width="35%" valign="top" class="vncell"><B>Certificate Name</td>
author	Ermal Luçi <eri@pfsense.org>	2008-03-06 17:33:32 +0000
committer	Ermal Luçi <eri@pfsense.org>	2008-03-06 17:33:32 +0000
commit	267ab13f685d0435d7867705e60409a7081e06df (patch)
tree	65eb5361c9a52686ce35f5081811f07d5041925e /usr
parent	bc1fd2b7de2d3e17c0ce0cdf11b090d1c937343a (diff)
download	pfsense-267ab13f685d0435d7867705e60409a7081e06df.zip pfsense-267ab13f685d0435d7867705e60409a7081e06df.tar.gz